Results 1 to 9 of 9

Thread: Port forwarding from one machine to another.

  1. #1
    Join Date
    Jul 2006
    Beans
    21
    Distro
    Ubuntu 6.06 Dapper

    SOLVED - Port forwarding from one machine to another.

    Hi,

    I have a router which is very stupid, and can't use PAT. Meaning, it can only forward port 443 to one single device on the internal network, and it cannot forward other external ports to 443 internally. It is 192.168.1.1.

    I have a device that is very stupid, and can only listen on port 443. It is 192.168.1.251.

    I have an HTTPS server on the LAN, and I don't *want* to make it listen on a different port just to accomodate the very stupid device. It is a Ubuntu 8.04.1 LTS Server machine, and can do anything I want it to. It is 192.168.1.4.

    My plan is this:
    1) have the router forward port 999 to the server.
    2) have the server listen on port 999 and seamlessly redirect the 999 traffic to 443 on the device
    3) have the device listen on 443, handle everything happily, and respond either to the server (which then responds to the original client) or directly to the client.

    Thing is, I can't actually make this work.

    I've tried netcat -
    nc -l -p 999 | nc 192.168.1.251 443 | nc -b -l -p 999
    fails because the third NC, to bind the returning traffic, can't grab port 999. And I'm not sure how to fix it.

    I've tried iptables -
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -d 192.168.1.251 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.4 --dport 999 -j DNAT --to-destination 192.168.1.251:443
    Again, no luck.

    I even got desperate, and tried SSH port forwarding:
    ssh -L 999:192.168.1.251:443 root@localhost
    and man-in-the-middling my own HTTPS device by adding a
    proxypass /device/ https://192.168.1.251/
    ProxyPassReverse /device/ https://192.168.1.251/
    to the site file on the existing HTTPS server.

    So: What I want to do is REALLY EASY if you just have a router that's smart enough to take an external *AND* an internal port.
    It's REALLY EASY if you have a router that's smart enough to have two external IPs.
    It looks REALLY EASY on paper with iptables or ProxyPass - and yet, I'm stuck. I've got nothing working, and I'm having trouble even finding out why my failures are, well, failing.
    Last edited by KingJohn; September 5th, 2008 at 10:08 PM. Reason: adding a "SOLVED" tag

  2. #2
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: Port forwarding from one machine to another.

    So you want the router to port forward 999 to which server?
    Code:
    iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.4 --dport 999 -j DNAT --to-destination 192.168.1.251:443
    Why would you forward it to 192.168.1.4, then DNAT it to 192.168.1.251?

    Try this
    Code:
    sudo iptables -t nat -A OUTPUT -p tcp -m tcp --dport 999 -j DNAT --to-destination :443
    The traffic for port 999 should be forwarded to the server you run this command on.

  3. #3
    Join Date
    Jul 2006
    Beans
    21
    Distro
    Ubuntu 6.06 Dapper

    Re: Port forwarding from one machine to another.

    Both my server and my new device listen on HTTPS.
    The device cannot listen on a different port.
    I do not want to move my server to a different port.

    Right now, the firewall takes
    EXTERNALIP:443 and forwards it to SERVER:443

    What I *really* want is for the firewall to take
    EXTERNALIP:999 and forward that to DEVICE:443

    However, the router is stupid. The router can't do port translation.

    So what I'm trying to do is make the router take
    EXTERNAL:999 and forward that to SERVER:999, which will forward in turn to DEVICE:443

    The net result I want is that a user will type
    https://EXTERNALIP:999/ into their browser, and they will seamlessly see
    https://DEVICE:443/
    With all traffic back and forth appropriately routed so that it works just like as if I'd forwarded 443 from the router to the device.

    Why would you forward it to 192.168.1.4, then DNAT it to 192.168.1.251?
    Because I really don't know what I'm doing when it comes to iptables. I am trying to run this from 192.168.1.4

    Try this

    sudo iptables -t nat -A OUTPUT -p tcp -m tcp --dport 999 -j DNAT --to-destination :443
    The traffic for port 999 should be forwarded to the server you run this command on.
    Don't I have to specify an IP with --to-destination? Otherwise, how it know to take incoming port 999 traffic and sent it to *the right server* on 443?

    Still. running "iptables -t nat -A OUTPUT -p tcp -m tcp --dport 999 -j DNAT --to-destination 192.168.1.251:443" as root doesn't solve my problem, nor does doing it without the destination IP. In both cases, traffic still isn't getting forwarded from server:999 to device:443 and back.

  4. #4
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: Port forwarding from one machine to another.

    Quote Originally Posted by KingJohn View Post
    Both my server and my new device listen on HTTPS.
    The device cannot listen on a different port.
    I do not want to move my server to a different port.

    Right now, the firewall takes
    EXTERNALIP:443 and forwards it to SERVER:443

    What I *really* want is for the firewall to take
    EXTERNALIP:999 and forward that to DEVICE:443

    However, the router is stupid. The router can't do port translation.

    So what I'm trying to do is make the router take
    EXTERNAL:999 and forward that to SERVER:999, which will forward in turn to DEVICE:443

    The net result I want is that a user will type
    https://EXTERNALIP:999/ into their browser, and they will seamlessly see
    https://DEVICE:443/
    With all traffic back and forth appropriately routed so that it works just like as if I'd forwarded 443 from the router to the device.


    Because I really don't know what I'm doing when it comes to iptables. I am trying to run this from 192.168.1.4



    Don't I have to specify an IP with --to-destination? Otherwise, how it know to take incoming port 999 traffic and sent it to *the right server* on 443?

    Still. running "iptables -t nat -A OUTPUT -p tcp -m tcp --dport 999 -j DNAT --to-destination 192.168.1.251:443" as root doesn't solve my problem, nor does doing it without the destination IP. In both cases, traffic still isn't getting forwarded from server:999 to device:443 and back.
    I incorrectly assumed both servers were linux servers with iptables. Maybe the reason you are still having problems is because of the source address of the forwarded packets.
    Code:
    sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 999 -j DNAT --to-destination 192.168.1.251:443
    sudo iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.251 --dport 443 -j SNAT --to-source 192.168.1.4:999
    Also, you might have to enable IP forwarding
    Code:
    sudo -s
    echo 0 > /proc/sys/net/ipv4/ip_forward
    exit

  5. #5
    Join Date
    Oct 2006
    Location
    Central Florida
    Beans
    1,263
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Port forwarding from one machine to another.

    No chance of just getting another router? That's a lot to do when $40 or so can make it all go away...
    Why can't life have a sudo apt-get install -f command?
    Install VMWare Server 2 on a text-only system
    Need help getting your printer working in Linux?
    It's all about choice, right? Then stop flaming Windows users.

  6. #6
    Join Date
    Oct 2007
    Location
    ISS
    Beans
    1,429

  7. #7
    Join Date
    Jul 2006
    Beans
    21
    Distro
    Ubuntu 6.06 Dapper

    Re: Port forwarding from one machine to another.

    Solved the problem, actually.

    The magic fix is rinetd

    Step 1:
    install rinetd
    apt-get install rinetd
    Step 2:
    edit /etc/rinetd.conf to include the line
    192.168.1.4 999 192.168.1.251 443
    at the appropriate place - the default empty config file will show you.

    Step 3:
    restart rinetd to notice the new config file.
    /etc/init.d/rinetd restart
    Problem solved! Port forwarded! Everything works perfectly!

  8. #8
    Join Date
    Oct 2007
    Location
    ISS
    Beans
    1,429

    Re: Port forwarding from one machine to another.

    Thanks. I didn't know about rinetd. Here are some links for future reference:

    howtoforge

    ubuntugeek.com

    debian-admin

  9. #9
    Join Date
    Oct 2012
    Beans
    1

    Re: Port forwarding from one machine to another.

    This post helped me a lot. My situation:

    I needed to forward rdp (port 3389) traffic from an ubuntu 12.04 LTS server connected to a remote Cisco SSL vpn using openconnect. Ultimate goal: I wanted to connect from a chromebook (which doesn't support ssl vpn) to a windows terminal server at work.

    I tried all the iptables combinations I could find on google and nothing worked. Installed rinetd per the instructions in this thread, modified the conf file, restarted the service, started up the VPN and voila! It works!! Now I can just use chrome rdp to connect to my linux box and it passes right through the vpn connection to the windows terminal server.

    Thanks so much to the original posters!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •